Today is the second Tuesday of October, which means that it is the 10th Microsoft Patch Tuesday of 2015. There are only six new security bulletins this month from Microsoft, and only three of them are rated as Critical by Microsoft, but the potential scope and impact of the underlying vulnerabilities has security experts stressing the importance of applying the updates sooner rather than later.
Microsoft released 6 security bulletins, resolving a total of 19 vulnerabilities. Half of the security bulletins are Critical and all of the Critical bulletins (MS15-106, MS15-108, MS15-109) are remote code execution issues affecting Internet Explorer, the Edge browser, VBScript & JScript Engines, Windows Shell, Office, Office Services and apps, as well as Microsoft Server Software. In other words, much of the Microsoft ecosystem is vulnerable to these remote code execution flaws.
“This month is dominated by remote code execution vulnerabilities enabling information disclosure if a user opens/visits specifically crafted content,” warns Adam Nowak, Rapid7 Active Lead Engineer. “The vulnerabilities affect Internet Explorer, Edge, Windows Shell and Microsoft Office. It is advisable for users and administrators to patch the affected platforms.”
Jon Rudolph, principal software engineer at Core Security, cautions, “The IE vulnerability is a remote code execution if a user can be made to visit a malicious page and the patch requires a restart. There's also a remote code execution vulnerability in JScript and VBscript, which could allow an attack via crafted Office Document and ActiveX controls.”
One of Rudolph’s peers at Core Security, Bobby Kuzma, stresses that the high volume of JScript and VBscript vulnerabilities should prompt Microsoft to adopt a disabled-by-default strategy for these technologies until or unless they can be completely removed from the Windows OS. Kuzma adds, though, “Unfortunately, that will never happen due to the huge legacy application technical debt held by large organizations and governments worldwide.”
Core Security’s Rudolph summed up Microsoft Patch Tuesday with some advice about potentially malicious Office files. “If we're seeing anything that's true from these updates, it's that Office files of unknown origin carry a real threat and people should always be wary to open a file from an unknown source.”
Users should always be wary of untrusted sources as maliciously crafted content could disclose personal/sensitive information. Rapid7’s Nowak declared, “Your best protection against these threats is to patch as quickly as possible.”